[Samba] password strenght doubt (maximum password age not working)
Cleber P. de Souza
cleberps at gmail.com
Thu Dec 28 13:07:05 GMT 2006
Hi Guido,
> Know what Im missing:
>
> 1) check that the new password is not similar to the old one.
The pam_cracklib man pages show exactly what are you found:
By default, pam_cracklib performs a number of basic checks on the new password:
Simple Checks (http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html)
* Is the new password just the old password with the letters
reversed ("password" vs. "drowssap") or rotated ("password" vs.
"asswordp")?
* Does the new password only differ from the old one due to change
of case ("password" vs. "Password")?
* Are at least some minimum number of characters in the new
password not present in the old password? This is where the "difok"
parameter comes into play.
The difok value set how much characteres must be different from the
actual password.
> 2) check that the new password has at least 2 digits.
>
The dcredit value from pam_cracklib do this. Set to 2 for your desired results.
The man pages show a lot of information.
Take care of reading all the options.
Any doubts ask the list.
> The thing I found that dosen't work is the pdbedit -P "maximum password
> age" -C someunixtime
> The default says 4294967295 and if I put 1180224000 instead ( 6 months
> ), when I change a password it goes to 1907!
>
> Any clues?
>
> Thanks.
>
>
>
> Guido Lorenzutti wrote:
> > welll.... obey pam restrictions and "encrypt passwords = yes" dosen't
> > work at the same time. If you select "encrypt passwords = yes" "obey
> > pam .." dosen't work anymore. And I cant say no to encrypt passwords...
> >
> > Any other idea?
> >
> >
> > Guido Lorenzutti wrote:
> >> Thank you for you answear, but I try what you say and it dosen't work.
> >> I now using obey pam restrictions, I restart samba... and this is my
> >> pam config:
> >>
> >> bowman:/var/log# cat /etc/pam.d/samba
> >> account required /lib/security/pam_unix.so
> >> account sufficient /lib/security/pam_ldap.so
> >> auth required /lib/security/pam_env.so
> >> auth sufficient /lib/security/pam_unix.so likeauth nullok shadow
> >> auth sufficient /lib/security/pam_ldap.so use_first_pass
> >> auth required /lib/security/pam_deny.so
> >> password required /lib/security/pam_cracklib.so minlen=6 dcredit=2
> >> difok=2 retry=3
> >> password sufficient /lib/security/pam_unix.so nullok use_authtok
> >> shadow md5
> >> password sufficient /lib/security/pam_ldap.so use_authtok
> >> password required /lib/security/pam_deny.so
> >> session required /lib/security/pam_limits.so
> >> session required /lib/security/pam_unix.so
> >> session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
> >> umask=077
> >> session optional /lib/security/pam_ldap.so
> >>
> >> bowman:/var/log# testparm -v | grep obey
> >> Load smb config files from /etc/samba/smb.conf
> >> Processing section "[personal]"
> >> Processing section "[netlogon]"
> >> Processing section "[profiles]"
> >> Processing section "[publico]"
> >> Processing section "[Grupos]"
> >> Processing section "[profiles2]"
> >> Processing section "[payroll]"
> >> Processing section "[payrolladmin]"
> >> Processing section "[Aida]"
> >> Processing section "[esempi]"
> >> Loaded services file OK.
> >> Server role: ROLE_DOMAIN_PDC
> >> Press enter to see a dump of your service definitions
> >>
> >> obey pam restrictions = Yes
> >>
> >> But when I try to change the password, I can use my old one still. I
> >> can use a password withouth the two digits... like nothing.
> >> Are you sure that with ldap the obey pam restrictions works?
> >>
> >> Thanks in advance... Sorry for my english.
> >>
> >>
> >> Cleber P. de Souza wrote:
> >>> Hi Guido,
> >>>
> >>> There are a set of ways to accomplish such task.
> >>> Some I use is:
> >>> 1) Set obey pam restrictions = yes in the smb.conf file.
> >>> 2) Set check password script = /usr/sbin/crackcheck -d
> >>> /usr/lib/cracklib_dict
> >>> This check the user password against a dictionary. Crackcheck can be
> >>> downloaded from samba
> >>> (http://people.samba.org/bzr/mwxia/samba-soc/examples/auth/crackcheck/).
> >>>
> >>> The cracklib package must be installed for the dictionary to work.
> >>> 3) Use pam pam_cracklib to set your password rules for lower/upper
> >>> characters, numbers, special characters, etc:
> >>> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> >>> minlen=8 difok=3 dcredit=-1 lcredit=-1
> >>> Or pam_passwdqc for the same thing:
> >>> password requisite /lib/security/$ISA/pam_passwdqc.so
> >>> min=disable,8,8,8,8 max=25 passphrase=0 match=6 similar=deny random=64
> >>> enforce=users retry=3
> >>> See the man pages for correct options values.
> >>> 4) You can block users after X retries using pam pam_tally.so, but I
> >>> haven't tried this yet.
> >>>
> >>> I think this can help you.
> >>>
> >>>
> >>> On 12/26/06, Guido Lorenzutti <guido at lorenzutti.com.ar> wrote:
> >>>> Maybe I can do this with the "check password script". But I only found
> >>>> the cracklib example. Anyone knows a way of doing this? Becouse the
> >>>> cracklib example only check agains a dictionary.
> >>>>
> >>>> Tnxs in advance.
> >>>>
> >>>>
> >>>> Gary Dale wrote:
> >>>> > I think you'll find at least some of these are Windows Policies and
> >>>> > would not be reflected in the smb.conf file. If you check the Samba
> >>>> > Howto collection and the Samba by example documents at samba.org,
> >>>> > you'll find examples of how to set some of the policies.
> >>>> >
> >>>> > To be honest, I've never gone beyond requiring password changes,
> >>>> > minimum lengths and histories. :)
> >>>> >
> >>>> >
> >>>> > Guido Lorenzutti wrote:
> >>>> >> Hi people! I have a few problems with the password strength in
> >>>> Samba.
> >>>> >> I have a PDC with LDAP on Debian Stable, with a few packages from
> >>>> >> backports.
> >>>> >> The problem is that I can't find a way to enforce strenght to the
> >>>> >> passwords of the users. I can't define a policy to force things
> >>>> like:
> >>>> >> number of uppercase letters, number of downcase letters, number of
> >>>> >> numbers in the password, to check the diference between the new and
> >>>> >> the old, to store a list of old passwords to check... I mean,
> >>>> things
> >>>> >> that are requiered to enforce some policy of security by my
> >>>> company.
> >>>> >> Bottom line? The users can put his username for password! Not even
> >>>> >> that is checked...
> >>>> >>
> >>>> >> It's something wrong in my setup or is a feature request? I see min
> >>>> >> password length.. but.. the rest?
> >>>> >>
> >>>> >>
> >>>> >> This is the important part of my setup:
> >>>> >>
> >>>> >> [global]
> >>>> >> #Network ID
> >>>> >> workgroup = JUSBAIRES
> >>>> >> netbios name = PDC
> >>>> >> netbios aliases = SERVER
> >>>> >> server string =
> >>>> >>
> >>>> >> #Logs
> >>>> >> debug level = 0
> >>>> >> syslog = 0
> >>>> >> log level = 0
> >>>> >> log file = /var/log/samba/%m.%U.log
> >>>> >> max log size = 10000
> >>>> >> panic action = /usr/share/samba/panic-action %d
> >>>> >>
> >>>> >> #Network Support
> >>>> >> name resolve order = wins hosts lmhosts bcast
> >>>> >> socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535
> >>>> >> IPTOS_LOWDELAY SO_KEEPALIVE
> >>>> >> wins support = yes
> >>>> >> wins proxy = yes
> >>>> >> enhanced browsing = yes
> >>>> >> dns proxy = yes
> >>>> >> time server = yes
> >>>> >> local master = yes
> >>>> >> smb ports = 139
> >>>> >>
> >>>> >> #LDAP
> >>>> >> ldap admin dn =
> >>>> >> uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar
> >>>> >> ldap suffix = dc=jusbaires,dc=gov,dc=ar
> >>>> >> ldap group suffix = ou=Group
> >>>> >> ldap user suffix = ou=People
> >>>> >> ldap machine suffix = ou=alem,ou=Computers
> >>>> >> ldap delete dn = no
> >>>> >> ldap passwd sync = yes
> >>>> >>
> >>>> >> #Printer Options
> >>>> >> printcap name = /dev/null
> >>>> >> printing = bsd
> >>>> >> load printers = no
> >>>> >>
> >>>> >> #Security Options
> >>>> >> admin users = administrador lgiacchetta
> >>>> >> enable privileges = yes
> >>>> >> preferred master = yes
> >>>> >> lm announce = yes
> >>>> >> domain master = yes
> >>>> >> domain logons = yes
> >>>> >> encrypt passwords = yes
> >>>> >> pam password change = yes
> >>>> >> passdb backend = ldapsam:"ldap://127.0.0.1
> >>>> >> ldap://alem-ldap.jusbaires.gov.ar
> >>>> >> ldap://alem-systemlog.jusbaires.gov.ar"
> >>>> >> passwd chat debug = no
> >>>> >> check password script = /usr/local/bin/crackcheck -d
> >>>> >> /var/cache/cracklib/cracklib_dict
> >>>> >> unix charset = 850
> >>>> >> dont descend = .recycle
> >>>> >> delete veto files = yes
> >>>> >> restrict anonymous = 1
> >>>> >>
> >>>> >> #Profiles stuff
> >>>> >> logon script = netlogon.%U.bat
> >>>> >> logon path = \\PDC\profiles\%U
> >>>> >> logon home = \\PDC\personal
> >>>> >> logon drive = H:
> >>>> >> hide files = /Desktop.ini/desktop.ini/
> >>>> >> hide dot files = yes
> >>>> >
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions: https://lists.samba.org/mailman/listinfo/samba
> >>>>
> >>>
> >>>
> >>
> >
> >
>
>
--
***
Cleber P. de Souza
More information about the samba
mailing list